Currently "All except…" exists for MAC/IP Addresses in Access Restrictions, but for blocking ports, you need to specify each port individually. A "Block all ports except…" in the GUI would make things cleaner.
You can specify multiple port ranges for blocked ports, leaving what you want to keep open outside of these ranges, i.e. to block all dst ports except 1001-1024, specify:
Dst Port: 1-1000,1025-65535
That's true, but I guess I was being lazy, plus I wanted it to be more readable. If there are 15 ports I want open and they're not contiguous (SSH, SMTP SSL, etc etc), then that's a lot of commas.